find inactive accounts
John Hascall
john at iastate.edu
Wed Jan 20 08:47:32 EST 2010
> For PCI reasons I have to report all accounts which have been inactive
> (i.e. no logins) for three months. The goal here is to automate the
> process... [...grubbing through logs...]
What I would do is:
1) make sure my KDCs were configured "--with-kdc-kdb-update" when built
2) make sure all users' principals had the REQUIRES_PRE_AUTH attribute
3) then I would look through my latest krop dump for lines starting with
"princ" and grab the 7th and 13th fileds. For example:
princ 38 16 3 1 0 john at IASTATE.EDU 128 2592000 2592000 2019707940 0 1263942513 1263938175 0 ... -1;
in this case, field 13 is "1263942513" which is:
Tue Jan 19 17:08:33 CST 2010
same as you can see in kadmin[.local]:
kadmin.local: getprinc john
Principal: john at IASTATE.EDU
Expiration date: Sat Dec 31 23:59:00 CST 2033
Last password change: Fri Jan 15 18:27:54 CST 2010
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Fri Jan 15 18:27:54 CST 2010 (kadmind at IASTATE.EDU)
Last successful authentication: Tue Jan 19 17:08:33 CST 2010 <<<<<<<<<<
Last failed authentication: Tue Jan 19 15:56:15 CST 2010
Failed password attempts: 0
...
Attributes: REQUIRES_PRE_AUTH
John
More information about the Kerberos
mailing list